Firefox 3.6.2 Plugs Critical Security Hole

Mozilla fixed a security vulnerability in its Firefox browser ahead of schedule after the German government advised the public to stop using the browser.

Mozilla has swatted a critical bug
in its Firefox browser ahead of schedule.
The flaw, which was discovered by
Intevydis founder Evgeny Legerov, had caused enough of a stir to prompt Germany's B??rgerCERT to advise users to ditch
the browser until it was fixed.

According to Mozilla, the Web Open
Font Format (WOFF) decoder contains an integer overflow in a font decompression
routine. As a result, too small a memory buffer could be allocated to store a
downloaded font, and an attacker could exploit the situation to crash a
victim's browser and execute arbitrary code on the system.

Only Firefox 3.6 was affected by
the vulnerability.
"We urge users to promptly update
to this release by selecting "Check for Updates..." from the "Help" menu, or by
visiting https://www.mozilla.com/ for a
free download," according to Mozilla.
The fix is contained within Firefox
3.6.2, which was initially scheduled to be released March 30. After the German
advisory however, Mozilla announced it was moving up the release date.
While security researchers are divided on the idea of switching browsers every
time a vulnerability appears, it was not the first time a government had made
the recommendation. Germany
and France also
advised users to ditch Internet Explorer until the vulnerability tied to the Aurora attack
on Google was patched. That vulnerability was fixed in January.